Features

net.wars: A SWIFT kick

One of the clear trends of the last five years has been increasing international surveillance, especially by or on behalf of the US. Foreign visitors to the US now are welcomed with demands for fingerprints and other biometrics; airlines flying to the US are required to hand over passenger data even before the plane pushes back; and, behind the scenes, the co-operative that handles interbank transfers within Europe has been sending the US Treasury department banking records that the average European citizen almost certainly assumes are confidential.

This week, the Article 29 group – a panel of European Commissioners for Freedom, Security, and Justice – ruled that the interbank money transfer service SWIFT (Society for Worldwide Interbank Financial Telecommunication) has failed to respect the provisions of the EU Data Protection directive by transferring personal financial data to the US in a manner the press release describes as "hidden, systematic, massive, and long-term."

It doesn't sound like much when you say that a few people brought a complaint about an obscure organisation to an equally obscure branch of the EU government and won. It sounds like a lot more when you say that a few people brought a complaint that, upheld, means that the European financial world will have to change their behaviour.

The transfers are part of anti-terrorist programs put in place after the September 11, 2001 attacks to allow American intelligence agency analysts to spot funds being sent to finance terrorists. The problem is that, under EU law, the Data Protection Directive forbids the transfer of personal data to countries that do not have the same level of protection in place; the US is most certainly in that category. Simon Davies, executive director of Privacy International, says the goal in making the complaint that led to the Article 29 group's decision was not to stop all data transfers. "The data should be transferred when there's some level of evidence," he says. What PI objected to was the lack of oversight from anyone outside the cooperative, which is owned by the many private companies – banks, brokers, investment managers, and corporations.

"Now that we know SWIFT was acting illegally," says Davies, "the aim is to bring SWIFT and the banks to account, first by establishing a meaningful oversight mechanism, and second by bringing some transparency to the whole arrangement." Part of Privacy International's involvement was, together with the American Civil Liberties Union, to prepare a report on the involvement of consulting firm Booz Allen Hamilton, which is SWIFT's supposedly independent auditor but which, according to the report, has been deeply involved with American surveillance programs for the last ten years. Booz Allen told the New York Times that it rejected PI's charges.

PI's next step, Davies says, will be to contact the banks to ask what they intend to do or have done to comply with the decision. Under the law, they have 30 days to reply. "At the end of the 30 days, unless they provide evidence that they have complied, we then follow up with a second round of complaints to all commissioners worldwide." The US, of course, has no data protection commissioner – and even if it did, the transfers are legal there – so the list Davies is talking about is all the EU countries, Canada, Hong Kong, Australia, New Zealand, and a smattering of others.

"What they do depends on their powers in each country," says Davies, noting that "the UK is particularly weak." Unlimited fines can be imposed, should the commissioners so choose. "If SWIFT doesn't make an adult decision to deal with the situation, then it's up to member banks to use their voting rights within SWIFT to force change."

Meanwhile, he says, "SWIFT is also stuck. They have to comply with subpoenas issued by US authorities." Otherwise, SWIFT would be incurring criminal liability.

Davies' belief is that what's needed is either a truly independent oversight body or perhaps a former judge, to review proposed data transfers and ensure they comply with the law.

That, of course, is not what the US wants; Jane Hovarth, chief privacy and civil liberties officer for the US Department of Justice, told the recent international conference of data protection officers that the US does, too, have privacy laws, and that everyone should get together and agree on some kind of global data law. Under EU law, however, the US would have to raise its privacy protections to EU standards before sending data there would be legal.

This seems unlikely, but you never know. A couple of years ago, when the EU had the choice of honoring data protection law or sending the US government all the airline passenger data it wanted – the EU caved and sent the passenger data. Still, in this era when people seem willing to justify almost any amount of privacy invasion with the words "anti-terrorism", it was heartening to read the Working Party's final comment on the whole thing:

"The Working Party recalls that any measures taken in the fight against crime and terrorism should not and must not reduce standards of protection of fundamental rights which characterise democratic societies."